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Words with special meanings 


In the text of these guidelines, words with special meanings are printed in bold. These words are explained 
in Meaning of words. 


Words with special meaning are only in bold the first time they appear in each section of information. 


Words with special meanings include the various forms of that word (For example "use" includes used, 
using etc; "disclosure" includes disclose, disclosing etc.) 


The text also uses "information" as a shortened form of "personal information". 


Introduction to these guidelines 


The Information Privacy Principles (IPPs) in section 14 of the Privacy Act 1988 set out standards for 
handling personal information, that legally bind agencies. 


IPPs 8-11 deal with using and disclosing personal information. These guidelines are the Privacy 
Commissioner's view of how IPPs 8-11 work and have been prepared after consulting Privacy Contact 
Officers in relevant agencies. These guidelines are not legally binding. 


Nothing in these guidelines limits the Privacy Commissioner's freedom to investigate complaints under the 
Privacy Act and to apply the IPPs in the way that seems most appropriate to the facts of the case being 
dealt with. 


The Privacy Commissioner can determine that an agency has breached an IPP and that compensation is 
payable to the complainant. 


This is the second set of IPP guidelines published by the Privacy Commissioner. Plain English guidelines to 
IPPs 1-3 (dealing with collecting personal information) were published first. IPPs 8-11 have been dealt 
with next because they are complex and have generated more issues for agencies and the Privacy 
Commissioner than the other IPPs. 


What do the IPPs do? 


There are eleven IPPs in the Privacy Act. Most agencies that handle information about people must 
follow these IPPs. The IPPs: 


e regulate the way an agency collects, stores, uses and discloses information about people 
e allow people access to information that an agency keeps about them 
e allow people to request changes to this information 


IPPs reflect ideas set out in the OECD guidelines 


Many of the IPPs reflect ideas set out in the Organisation for Economic Cooperation and Development's 
Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (the OECD 
guidelines). These were promulgated in 1980. 


In 1984, Australia committed itself to taking the guidelines into account in domestic legislation. The Privacy 
Act assists in meeting this commitment. 


Who do the IPPs apply to 


The IPPs apply to agencies. An agency is required by law to comply with the IPPs. Section 16 of the 
Privacy Act says that "an agency shall not do an act or engage in a practice that breaches an Information 
Privacy Principle." 


How to use these guidelines 


1. Use the Quick reference guide on page 3 to see which IPPs apply to your use or disclosure of 
personal information. 

2. Use the Table of contents to help you find guidelines on topics that might be relevant 

3. Some of the words used in these guidelines have special meanings. Use the Meaning of words section 
to help explain words that are in bold type, and their variations. 


How can I get more advice about the IPPs? 


The Privacy Commissioner has published various guidelines and documents on the Privacy Act. These 
include: 


e Plain English guidelines to IPPs 1-3 

e¢ adocument called Outsourcing and Privacy. This document contains model privacy clauses that can 
be used in contracts in which the agency engages outsiders to perform functions that involve handling 
personal information. Copies are available from the Privacy Commissioner's Office. 


Both of these documents are available on the Commonwealth Managers Toolbox. Limited copies of the 
Plain English guidelines to IPPs 1-3 are also available from the Privacy Commissioner's Office. 


For more information about the IPPs, you can also consult the Privacy Contact Officer in your agency. 


If the Privacy Contact Officer cannot help you, you can phone the Privacy Commissioner's office toll-free 
on the privacy hotline number: 1 800 023 985 


The Privacy Commissioner's address is: GPO Box 5218, Sydney NSW 2001 
Quick reference guide to when IPPs 8-11 apply 

IPPs 8-11 apply when an agency intends to use, or disclose, personal information. 
Are you dealing with ''personal information"? 


Read the definition of personal information on page 10 to help you decide if the information with which 
you are dealing is personal. 


Are you "using" or ''disclosing'' that information? 


Read The meaning of "use" and "disclosure" of information on pages 11 to 13 to help you decide 
which category your activity falls into. Then read the IPPs and guidelines that are relevant to that activity. 


If you are "using" personal information... 
The IPPs governing the use of personal information are: 


e IPP 8 (read guidelines 1-5) 

e IPP 9 (guidelines 6-9) 

e IPP 10.1 (guidelines 10 and 12) 

e exceptions to IPP 10.1: 
- generally (guideline 13) 
-10.1(a) (guidelines 14-17) "consent by the individual concerned" 
-10.1(b) (guidelines 25-29) "threat to life or health" 
-10.1(c) (guidelines 30-35) "required or authorised by law" 
-10.1(d) (guidelines 36-42) "law enforcement and revenue protection" 
-10.1(e) (guidelines 43-45) "directly related purpose" 

e IPP 10.2 (guidelines 46 and 47) 


If you are disclosing" personal information... 


The IPPs governing the disclosure of personal information are: 


e IPP 11.1 (read guidelines 11 and 12) 
e exceptions to IPP 11.1: 
- generally (guideline 13) 
-11.1(a) (guidelines 18-24) "aware the disclosure is usual practice" 
-11.1(b) (guidelines 14-17) "consent by the individual concerned" 
-11.1(c) (guidelines 25-29) "threat to life or health" 
-11.1(d) (guidelines 30-35) "required or authorised by law" 
-11.1(e) (guidelines 36-42) "law enforcement and revenue protection" 
e IPP 11.2 (guideline 42) 
IPP 11.3 (guidelines 46-48) 


Also be aware of IPP 4 


Agencies must also take care not to breach IPP 4 which deals with the security of personal information. 
This IPP applies to all agencies in possession or control of personal information. It requires an agency 
to reasonably protect personal information against unauthorised access, use, modification or disclosure. 


Text and summary of IPPs 8-11 

Actual text of IPPs 8-11 as set out in the Privacy Act 

Text of IPP 8 

A record-keeper who has possession or control of a record that contains personal information shall not 
use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure 
that, having regard to the purpose for which the information is proposed to be used, the information is 
accurate, up to date and complete. 


Summary of IPP 8 


An agency must take reasonable care to check that personal information is accurate, up to date, and 
complete, before using it 


Text of IPP 9 


A record-keeper who has possession or control of a record that contains personal information shall not 
use the information except for a purpose to which the information is relevant. 


Summary of IPP 9 
An agency must only use personal information for a purpose to which it is relevant. 
Text of IPP 10.1 


A record-keeper who has possession or control of a record that contains personal information that 
was obtained for a particular purpose shall not use the information for any other purpose, unless: 


(a) the individual concerned has consented to use of the information for that purpose; 
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(b) the record-keeper believes on reasonable grounds that use of the information for that other purpose 
is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual 
concerned or another person; 

(c) use of the information for that other purpose is required or authorised by or under law; 

(d) use of the information for that other purpose is reasonably necessary for the enforcement of the 
criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or 

(e) the purpose for which the information is used is directly related to the purpose for which the 
information was obtained. 


Summary of IPP 10.1 


An agency must not use personal information for any purpose other than that for which it obtained the 
information, unless: 


(a) the person the information is about consents, or 

(b) _ the use is necessary to protect against a serious and imminent threat to a person's life or health, or 

(c) _ the use is required or authorised by law, or 

(d) _ the use is reasonably necessary to enforce the criminal law or a law imposing a pecuniary penalty, or 
to protect public revenue, or 

(e) _ the use is directly related to the purpose for which the agency obtained the information. 


Text of IPP 10.2 


Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary 
penalty, or for the protection of the public revenue, the record-keeper shall include in the record 
containing that information a note of that use. 


Summary of 10.2 


An agency that uses personal information under exception 10.1(d) must note that use on the record 
containing the information. 


Text of IPP 11.1 


A record-keeper who has possession or control of a record that contains personal information shall not 
disclose the information to a person, body or agency (other than the individual concerned) unless: 


(a) _ the individual concerned is reasonably likely to have been aware, or made aware under principle 2, 
that information of that kind is usually passed to that person, body or agency; 

(b) _ the individual concerned has consented to the disclosure; 

(c) _ the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or 
lessen a serious and imminent threat to the life or health of the individual concerned or of another 
person; 

(d) _ the disclosure is required or authorised by or under law; or 

(e) — the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a 
pecuniary penalty, or for the protection of the public revenue; 


Summary of IPP 11.1 


An agency must not disclose personal information unless: 


(a) the person the information is about has been told in a valid IPP 2 notice, or is otherwise likely to 
know, that that kind of disclosure is commonly made, or 

(b) _ the person the information is about has consented, or 

(c) the disclosure is necessary to protect against a serious and imminent threat to a person's life or health, 
or 

(d) _ the disclosure is required or authorised by law, or 

(e) the disclosure is reasonably necessary to enforce the criminal law or a law imposing a pecuniary 
penalty, or to protect public revenue. 


Text of 11.2 

Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law 
imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record- 
keeper shall include in the record containing that information a note of the disclosure. 


Summary of 11.2 


An agency that discloses personal information under exception 11.1(e), must note that disclosure on 
the record containing the information. 


Text of 11.3 

A person, body or agency to whom personal information is disclosed under clause | of this principle 
shall not use or disclose the information for a purpose other than the purpose for which the information was 
given to the person, body or agency. 


Summary of 11.3 


If an agency discloses any personal information, the recipient must only use or disclose it for the 
purpose for which it was disclosed to them. 


How do the IPPs relate to other Acts? 

IPPs apply alongside other legislation 

If IPPs 10 or 11 allow a use or disclosure, that use or disclosure will still be unlawful if other legislation 
makes it unlawful. So if an agency's own legislation says that it cannot use or disclose personal 
information in a particular way, the agency must comply with that legislation _ even if IPP 10 or 11 
would permit the use or disclosure. 

IPPs 10.1 and 11.1 do not prevent an agency using or disclosing personal information if another law 
specifically requires or authorises the agency to do so. (This is stated in exceptions IPP 10.1(c) and IPP 


11.1(d).) 


If a law specifically prohibits or permits a use or disclosure, an agency must comply with it. IPPs 10.1(d) 
and 11.1(e) cannot be used to extend the permitted uses or disclosures. 


IPPs only set out minimum standards 


The IPPs only set out minimum legal standards for agencies in dealing with personal information. A 
higher standard may be appropriate, even if the IPPs do not require it. 
It may be appropriate for an agency to take more care to protect people's privacy (than the IPPs require) 


e particularly sensitive personal information is involved, or 


e using or disclosing personal information is likely to have serious consequences for the person the 
information is about. 


How do the IPPs relate to common law limits on use and disclosure? 
Common law duties of confidence 


Common law duties of confidence (for example, the duty owed by doctors to their patients, or by lawyers 
to their clients) may limit an agency's ability to disclose personal information. 


Part VIII of the Privacy Act extends the operation of the common law duty of confidence to cover 
agencies that obtain information from sources that have themselves obtained the information subject to a 
duty of confidence. 


For example: Agency A obtains information from an individual under a duty of confidence and then 
discloses the information to Agency B. The individual can sue Agency B directly if it should have known 
about the duty of confidence but fails to keep the information confidential. 

Johns v ASC 


In Johns v Australian Securities Commission (1993) 116 ALR 56, the High Court held that if someone 
compulsorily obtains information using a statutory power, they must: 


e only use or disclose that information for the purposes set out in, or implied by, the statute, and 
e otherwise treat the information as confidential. 


If Johns case applies to limit the purposes for which information may be used or disclosed, uses and 
disclosures that would otherwise be permitted by IPPs 8-11 are unlawful if they fall outside those 
purposes. 


Personal information obtained before 1 January 1989 


IPPs 8 and 9 apply to all personal information, whenever obtained. But IPPs 10 and 11 only apply to 
personal information that an agency: 


e obtains on or after 1 January 1989 (the date the Privacy Act commenced), or 
e obtained before | January 1989 but amends on or after that date in a way that significantly changes its 


meaning. 


An agency is advised to treat all personal information as being subject to all IPPs 
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It may be difficult for an agency to work out exactly what personal information IPPs 10 and 11 apply 
to. So the Privacy Commissioner encourages an agency to comply with all IPPs when handling personal 
information - no matter when it was obtained. 


Doing this will: 


e more effectively safeguard the privacy of all people about whom an agency holds information, and 
e remove the possibility of an agency making, or being accused of making, unfair or arbitrary distinctions 
when trying to work out what information to protect. 


Personal information in generally available publications 


IPPs 8-11 do not apply to personal information in a generally available publication. But they do 
apply to the same information if it appears in a record held by an agency. 


How to manage the use and disclosure of personal information 
Setting up a control system 


An agency should set up policies and procedures that effectively manage the way in which staff use and 
disclose personal information. This can help minimise the risk of breaching IPPs 8 to 11 as well as IPP 
4. 


IPP 4 requires an agency to take all reasonable measures to safeguard personal information against 
unauthorised access, use, modification or disclosure. 


Some options for minimising risk of breaching the IPPs 


It is not only the IPPs that an agency must take into account when setting up a system to control 
information - and these guidelines do not try to lay down detailed rules for designing such a system. But 
here are some options that an agency may consider to minimise the risk of breaching the IPPs: 


.. minimising risk generally 


e train staff in privacy requirements (including the agency's policy on use and disclosure ). 
e have a contact officer (who could be the agency's Privacy Contact Officer) available to advise on how 
IPP requirements apply in cases where this is not clear. 


.. minimising risk in using and disclosing personal information 


e have policies on using and disclosing personal information that are accessible, and explained, to all 
staff. Policies should be reviewed from time to time to make sure they are still relevant. It is important 
that the policies give practical advice on situations that regularly arise in the organisation. Policies that 
only state principles are insufficient. 


Policies should explain: 

- what information can be used or disclosed 

- when the information can be used or disclosed 
- which staff may use or disclose the information 


- to whom the information may be disclosed 
- how to use personal information within the agency 


This is especially important in an agency whose range of functions means that different parts of the 
agency are likely to hold personal information for unrelated purposes. 


- any other restrictions on using or disclosing personal information 
For example: the information may only be able to be disclosed for certain purposes, or only if certain 


conditions are met by the person requesting the information. 


- any actions that should accompany use or disclosure. 
For example: recording the disclosure. 


- any special procedures that apply to personal information held on computer systems. 

e identify classes of requests for disclosures and determine what level of officer can make decisions 
about each class. Decisions about difficult requests or requests that may have serious consequences 
(embarrassment, financial damage, physical danger) may be reserved for more senior officers. 

e ifan agency is frequently asked to disclose personal information to another body, it should set out 
its policies in a written agreement between the agency and the body to which it discloses the 
personal information. 

.. minimising risk if an agency handles information on behalf of another agency 

Any arrangements that involve one agency handling personal information on behalf of another, should be 

set out clearly in a written agreement between the two agencies (unless other legislative arrangements 

apply). This clarifies and strengthens the chain of accountability. The agreement should address: 

- the types of personal information involved 

- which officers of the handling agency are to have access to the information 

- what safeguards are to be put in place to protect the information 


- procedures to be followed if the handling agency mishandles the information 
- arrangements for liaising between the agencies. 


Meaning of words 

The meanings used here are based on the definitions in sections 6 and 10 of the Privacy Act. 
agency 

Agencies are generally federal government organisations. These organisations include: 


e federal government departments 
e bodies and tribunals set up for a public purpose by federal government laws. 


Agencies also include: 


e contracted case managers under the Employment Services Act 
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e Australian Capital Territory government organisations. 

State, Northern Territory, and local government, organisations are not "agencies". 

Some organisations, even if set up by federal government laws, are not "agencies". These include: 
e incorporated companies 

e incorporated societies, and 


e incorporated associations. 


The IPPs legally bind most agencies. 
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disclosure 
See The meaning of "use" and "disclosure" of information below. 
generally available publications 


Generally available publications include things like magazines, books, newspapers, annual reports, the 
Government Gazette and public databases like the Electoral Roll. 


Note that IPPs 8-11 do not apply to personal information in a generally available publication. But they 
do apply to the same information if it appears in a record held by an agency. 


personal information 


The Privacy Act (and these guidelines) only covers personal information. This is information or opinions 
that can identify a living person. 


Information about dead people is not technically personal information, but agencies are encouraged to 
respect the sensitivities of family members when using or disclosing it. 


record 

A record is a: 
e document 
e database 


e photograph or picture of people. 


The Privacy Act lists a number of exceptions to this definition. For example, generally available 
publications are not "records". 


record- keeper 

A record-keeper is an agency that possesses or controls a record of personal information. 

If one agency possesses a record, but another agency controls it, each agency is a record keeper. 
use 

See The meaning of "use" and "disclosure" of information below. 

The meaning of ''use" and "disclosure" of information 

The meanings used here are based on the definitions in section 6 of the Privacy Act. 

What is a use? 


Use is interpreted broadly. It relates to managing personal information within an agency. 
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As a general rule, any accessing by an agency of personal information in its control is a "use". This 
includes: 

e searching records for any reason 

e using personal information in a record to make a decision 

e passing a record from one part of an agency to another part with a different function. 


Use also includes publishing personal information. 
What is a disclosure? 


The Privacy Commissioner interprets a disclosure as a release of personal information from the effective 
control of the agency. An agency may release the personal information: 


e automatically, to a person or body that the agency knows has a general authority to access that 
personal information, or 
e inresponse to a specific request. 


Note: If an agency gives personal information to an outsider whom it has contracted to work for it, the 
agency may be treated as using, not disclosing, that information. To find out when, please see When is 
passing information outside an agency a use? 


Examples of disclosures: 


e If agency staff act to give someone outside the agency a record containing personal information, 
and the staff do not retain control over that information, there is a disclosure. 

e fan agency does something once (like setting up a computer logon) which allows someone outside 
the agency to access personal information many times, there is a disclosure each time the outside 
person accesses the information using that means. 


This is consistent with the purpose of the Privacy Act _ to give individuals an enforceable right to have an 
agency handle their personal information in a way that adequately protects their privacy. 


Relationship between use and disclosure 

An agency's action cannot be both a use and a disclosure 

Use does not mean disclosure and disclosure does not mean use. So either IPP 10 (use of personal 
information) or IPP 11 (disclosure of personal information) can apply to an agency's action - but not 


both. 


If a single administrative process involves both a use and disclosure, these are considered separately under 
IPP 10 and IPP 11 respectively. 


When is passing personal information outside the agency a use? 
An agency may pass personal information to an outside person or organisation. The test for working out 


if this act is a use or disclosure is always whether or not the agency maintains control over that personal 
information: 
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e An agency that gives up its control over the personal information to the outsider is treated as 
disclosing that information. 
e An agency that maintains control over the personal information is treated as using that information 


An agency maintains control over personal information if: 


e it gives the personal information to the outsider to use for a limited purpose that assists or benefits the 
agency, and 
e an agreement between the agency and outsider: 
- binds the outsider not to use or disclose the personal information except for the limited purpose, 
and 
- gives the agency the right to access, change or retrieve the personal information. 


For example: An agency may give personal information to an outsider who is contracted to do work 
for the agency (for example, under a contract for information technology services, or mailing house 
services). The agency is treated as using the information if: 


e the outside contractor is using the information solely to perform a function of the agency, and 
e the contract gives the agency control over the information. 


An employee's use or disclosure is treated as that of the agency 


If an agency's employee uses or discloses personal information in the course of their duties, the 
agency is treated as having used or disclosed that personal information. 


An employee may still be acting "in the course of their duties" if they use or disclose personal information 
in good faith, not realising that what they are doing is unauthorised or prohibited. 


An employee is not acting "in the course of their duties" if they use or disclose personal information 
knowing that the use or disclosure is unauthorised or prohibited. These acts are not treated as those of the 
agency. 


But if an agency fails to reasonably protect personal information against unauthorised access, use, or 
other misuse, it may be in breach of IPP 4. 


Post box arrangements 


Post box arrangements operate where one agency gives another a letter to be mailed out, and the names 
of who it is to be mailed to. The second agency (which holds the addresses of those people) does the 
actual mailing without revealing the addresses to the first agency. 


The second agency only uses the addresses _ it does not disclose them to anyone. If the purpose of the 
mail out is different from the purpose for which the second agency originally obtained the addresses, IPP 
10.1 will apply and the mail out will be unlawful unless one of the exceptions under IPP 10.1 applies. 


Information Privacy Principle 8 
- use only accurate, up to date, and complete information 
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What are the guidelines on IPP 8? 


Guideline 1 __ gives the text of IPP 8 

Guideline 2 _ tells you what personal information is covered by IPP 8 

Guideline 3 explains the extent to which personal information needs to be checked and when 
checking is reasonable. 

Guideline 4 _ tells you to check personal information consistently with IPP 3 

Guideline 5 _ tells you to amend all relevant records with accurate, up to date, or complete information 
that you get 


1 What does IPP 8 say? 
The text of IPP 8 is: 


A record-keeper who has possession or control of a record that contains personal information shall 
not use that information without taking such steps (if any) as are, in the circumstances, reasonable to 
ensure that, having regard to the purpose for which the information is proposed to be used, the 
information is accurate, up to date and complete. 


Meaning of IPP 8 
IPP 8 imposes obligations on an agency concerning the quality of the personal information it uses. 


IPP 8 says that before an agency can use personal information, it must take reasonable steps to make 
sure that it is accurate, up to date, and complete. 


2 What information does IPP 8 apply to? 
IPP 8 applies to all personal information held by an agency, whenever obtained. 
3 Checking the quality of personal information 


How likely is the information to be inaccurate, out of date, or incomplete? 


The extent to which an agency must check the quality of personal information before using it depends 
on how likely it is that the personal information is inaccurate, out of date, or incomplete. 


The more likely it is that the information is inaccurate, out of date, or incomplete, the more reasonable it is 
for an agency to check the personal information before using it. 


Note: 


e birth dates do not become out of date or incomplete _ accuracy is the only consideration 

e marital status, surname, occupation, address, and similar details, can be inaccurate and can easily 
become out of date 

¢ more complex personal information (for example, a criminal history, a medical report, or an 
academic record) can be inaccurate, out of date, or incomplete. So, care should always be taken to 
make sure that the information is correct. 
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The more serious the consequences, the more reasonable it is to check 


The more serious the consequences of the personal information being inaccurate, out-of-date, or 
incomplete, the more reasonable it is for the agency to check the information before using it. 


For example: 

e Ifan agency is going to cut off someone's pension, a mistake in the information on which the decision 
is based may have serious consequences. So, it is most important that the information is accurate, and 
extensive checking may be regarded as reasonable. 

e If an agency is posting a notice to an employer about an employee who is liable to pay child 
maintenance, the consequences of not checking the address supplied by the employee may be serious. 
For example, if the employee wants the information kept confidential but someone other than the 


employer receives and opens the notice, the employee's privacy is unnecessarily invaded. 


e If an agency is going to send out a newsletter to its clients, the consequences of a mistake may not be 
so serious, and less detailed checking may be regarded as reasonable. 


It is best to check with the original source 


The most reliable way of checking if personal information is accurate, up-to-date and complete is to 
check it against the original source. 


But sometimes an agency cannot reasonably check the original source of personal information before 
using it, for example: 


e the original source may no longer be available 
e checking the original source may be unreasonably expensive 


e the consequences of the personal information being incorrect are not serious. 


If an agency cannot reasonably check personal information with the original source, there are almost 
always things it can do to make sure the information it uses is of high quality. 


For example: if an agency is doing a bulk mail out to its clients, it would not be reasonable to check name 
and address details with each client at the time. But it would be reasonable to make sure that changes of 
address are processed quickly and accurately in maintaining the database. 


4 Checking must be done consistently with IPPs 1-3 


If it is reasonable for an agency to check the quality of personal information, the agency must do it ina 
way that does not breach IPPs 1-3. These IPPs deal with obtaining personal information. 


The Privacy Commissioner's plain English guidelines to IPPs 1-3 are available on the Commonwealth 
Managers' Toolbox and from the Commissioner's Office. 


As a general rule, an agency should first check personal information: 


e with the person the information is about, or 
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e against other internal records that were collected for the same purpose and that may confirm the 
personal information. 


Checking personal information with a third party 


Checking personal information with a third party intrudes on the privacy of the person who the 
information is about, and should only be done if checks with that person or against other internal records 
prove unsatisfactory. 


For example: A woman is claiming a single parent benefit from an agency. She admits that she shares 
some domestic arrangements with a man but denies that they are in a marriage-like relationship. The 
agency does not bother interviewing the man in question, but instead interviews various other people in the 
community about the relationship. This causes the matter to become widely known in the community. If the 
agency had first approached the man in question, it may not have needed to interview the other people, 
and the matter may have remained private. 


5 Amend all relevant records 


If the agency gets correct personal information to amend inaccurate, out of date, or incomplete 
personal information, it should amend all records that contain that information at the same time. 


For example: if a number of copies of a document containing the inaccurate, out of date, or incomplete 
personal information are held at different places within an agency, it is sensible to amend them all. 


Amending all relevant records: 

e removes the need to check the one piece of personal information repeatedly, and 

e reduces the risk of future breaches of IPP 8 by an agency (which may assume that unamended 
records are accurate, up to date, and complete). 


What about records with historical value? 


It may be inappropriate to amend original records with some historical value. Instead, the agency may 
add a note to the record that sets out the accurate, up to date, or complete personal information. 


Information Privacy Principle 9 
- use information for a purpose to which it is relevant 


What are the guidelines on IPP 9? 


Guideline 6 gives the text of IPP 9 

Guideline 7 _ tells you what information IPP 9 applies to 

Guideline 8 explains how a use permitted by IPP 9 may still be unlawful under IPP 10.1 
Guideline 9 gives examples of non-relevant purposes 


6 What does IPP 9 say? 


The text of IPP 9 is: 
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A record-keeper who has possession or control of a record that contains personal information shall 
not use the information except for a purpose to which the information is relevant. 


Meaning of IPP 9 


IPP 9 says that an agency must only use personal information for a purpose to which the information is 
relevant. An agency must ask itself: 


e for what purpose is the personal information being used? 
e is that personal information relevant to that purpose? 


7 What information is covered by IPP 9? 
IPP 9 applies to all personal information held by an agency, whenever obtained. 
8 A use permitted by IPP 9 may still be unlawful under IPP 10.1 


Even if use of personal information for a particular purpose is "relevant" under IPP 9, an agency must 
still make sure that the use is lawful under IPP 10.1. The use is unlawful under IPP 10.1 if: 


e the particular purpose is different from the purpose for which the information was obtained, and 
e none of the exceptions to IPP 10.1 apply. 


9 When is information not relevant to a purpose for which it is being used? 


Here are some examples of when an agency may be using personal information for a purpose to which 
it is not relevant: 


e personal information used in job selection processes 


An agency uses the information that a person has (or does not have) a particular type of security 
clearance, in a selection process for a job that does not require that kind of clearance. The agency 
may be treated as breaching IPP 9. 


e information with personal identifiers used in statistical research 


An agency uses records containing personal information with personal identifiers (like name and 
address) still attached, in research for statistical purposes. This research does not require individual 
data subjects to be identified. The agency may be treated as breaching IPP 9. 


But the agency may not be breaching IPP 9 if the purpose for which it uses the information is a 
"longitudinal study", which aims to gather statistical data on the experience of a group of people over 
time. In this type of study, it is necessary to contact the same people at regular intervals. So the 
identifying details of the sample members are relevant to the purpose of the study, and the information 
is clearly relevant to the purpose for which it is being used. 


e personal information about a person's relatives 
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An agency uses information about the criminal history of a person's relatives for assessing that 
person's likely behaviour or preferences. The agency may be at risk of breaching IPP 9 because 
information about a person's relatives is rarely relevant in making decisions about the person 
themselves. 


e personal information about a person's religion, ethnic background, or sexuality 


An agency uses information about a person's religion, ethnic background, or sexuality in making a 
decision. The agency may be treated as breaching IPP 9 if the information is not relevant to the 
decision. The agency needs to take great care in assessing the relevance of this information before it 
decides to use it in its decision making. 


Note that even if the personal information is relevant to the purpose it is used for, anti-discrimination 
legislation may still apply. 


Information Privacy Principles 10.1 and 11.1 
- basic rules about using and disclosing 


What are the guidelines on the basic rules in IPP 10.1 and 11.1? 


Guideline 10 _ gives the text of IPP 10.1 
Guideline 11 _ gives the text of IPP 11.1 
Guideline 12 _ tells you what personal information is covered by IPPs 10 and 11 


10 What does IPP 10.1 say 
The text of IPP 10.1 is: 


A record-keeper who has possession or control of a record that contains personal information that 
was obtained for a particular purpose shall not use the information for any other purpose unless... 


Meaning of IPP 10.1 
IPP 10.1 sets limits on how an agency may use personal information: 


e General rule: IPP 10.1 says that an agency may only use personal information for the particular 
purpose for which it obtains the personal information. 

e Exceptions: IPP 10.1 (a) to (e) lists 5 situations in which an agency may use personal information 
for purposes other than that for which it obtains the personal information. 


Concept underlying IPP 10.1 - "reasonable expectation" 


The general rule in IPP 10.1 is based on the concept of "reasonable expectation" _ that is _ people usually 
give personal information to an agency with a specific purpose in mind (for example, they want a 
licence, or a benefit payment, or a tax refund), and they should be able to expect the information to be 
used for that purpose only. 


Working out the "particular purpose"' for which information is obtained 


19 


An agency must know exactly why it is obtaining the information 


When an agency obtains personal information, it must have in mind a specific, well defined purpose for 
doing so. It must know exactly what it is trying to achieve by obtaining the information. 


This requirement applies whether the personal information is obtained directly from the person the 
information is about, or whether it is obtained from another agency or some other organisation. This 
requirement is consistent with requirements about collecting personal information in IPPs | to 3. 


Sometimes an agency may have to judge how broad its purpose is in obtaining personal information. 


For example: If an agency obtains personal information from Ms A on an application form for a 
Program X benefit payment, how broadly should an agency interpret the purpose for which it obtains the 
information? 


e "To perform the lawful functions of the agency" is clearly too broad a purpose, since the agency may 
perform many, and quite different, functions. In practice, this interpretation imposes no limit on how an 
agency uses personal information (apart from lawfulness under other legislation), and IPP 10 has no 
effect. 


e "To decide if payments to Ms A should be started for this financial year" is too narrow a purpose. If the 
agency wants to send Ms A information about changes to her benefits, it is artificial to conclude that 
this is use for a purpose that is different from the purpose for which the agency originally obtains the 
information. 


e "To apply Program X to Ms A" seems a reasonable interpretation. It restricts uses to those related to 
Ms A's involvement with the particular program while also permitting uses that are necessary to that 
involvement. This interpretation is probably in line with Ms A's "reasonable expectations". 


If an agency obtains personal information directly from the person it is about 


The purpose for which an agency obtains personal information within IPP 10.1 must be consistent with 
the purpose stated in the IPP 2 notice that accompanied the original collection of the information. 


IPP 2 says that if an agency obtains personal information directly from the person the information is 
about, it must clearly explain to the person its particular purpose for doing so. The agency should do this at 
the time it obtains the information from the person. 


The purpose for obtaining the information also should be what a reasonable person expects. 
For example: 


e personal information obtained on an application form is obtained for the purpose of assessing the 
application. 

e personal information obtained when someone is making an enquiry is obtained for the purpose of 
answering the enquiry. 

e personal information obtained in a survey is obtained for the purpose of finding out statistical (not 
individual) information. 
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e personal information obtained in an audit is obtained to assess compliance in the past and the risk of 
non compliance in the future. 


If an agency obtains personal information from a third party 
If an agency obtains personal information from another organisation, then its purpose in obtaining the 
information is limited by any conditions the other organisation places on releasing the information. Often, 


these conditions reflect the expectations of those from whom the information was originally obtained. 


An agency should always be clear about why it is obtaining the information. It should be able to define this 
purpose in response to enquires from individuals, or from the Privacy Commissioner following a complaint. 


Exception 10.1(e) supports a narrow view of "purpose" 
Exception 10.1(e) allows personal information to be used for a purpose directly related to the purpose 
for which the information is obtained. This exception supports the view that the particular purpose should 


not be interpreted too broadly. To interpret "purpose" broadly would make IPP 10 ineffective because it 
would bring almost any use within exception 10.1(e). 


11 What does IPP 11.1 say? 
The text of IPP 11.1 is: 


A record-keeper who has possession or control of a record that contains personal information shall 
not disclose the information to a person, body or agency (other than the individual concerned) .. 


Meaning of IPP 11.1 

IPP 11.1 limits the situations in which an agency may disclose personal information: 

e General rule: IPP 11.1 says that an agency may only disclose personal information to the person 
the information is about. An agency must not disclose that information to any other person or 
organisation. 

e Exceptions: IPP 11.1 (a) to (e) lists 5 situations in which an agency may disclose personal 
information to someone other than the person the information is about. 


Concept underlying IPP 11.1 - "confidentiality of client information" 


Australian public administrators have always emphasised the importance of confidentiality of client 
information - and the general rule in IPP 11.1 is based on that concept. 


IPP 11.1 allows disclosure to the "individual concerned" 
The "individual concerned" means the person who the personal information is about. 
IPP 11.1 does not prevent an agency: 


e telling a person what personal information it holds about them, and 
e disclosing that personal information to them. 
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In fact, IPP 6 gives a person the right to access personal information held about them, unless another law 
prevents them having access. If another law does prevent them having access, the agency should explain 
this to them. 


People acting on behalf of the individual concerned 


An agency can disclose personal information about a person to someone acting on behalf of the person. 
See Disclosing to representatives of the person the information is about on page 36 


12 What information do IPPs 10.1 and 11.1 apply to? 

IPP 10.1 and IPP 11.1 (including their exceptions) apply only to personal information that an agency: 

e obtains on or after 1 January 1989 (the date the Privacy Act commenced), or 

e obtained before 1 January 1989 but amends on or after that date in a way that significantly changes its 
meaning. 

But it may be difficult to work out exactly what personal information falls into these categories. So the 


Privacy Commissioner encourages agencies to treat all personal information, whenever obtained, as 
being subject to these IPPs. 


Information Privacy Principles 10.1 and 11.1 
- exceptions to the basic rules 


What are the guidelines on the exceptions to IPP 10.1 and 11.1? 
Guideline 13 explains how the exceptions work 


13 Overview of the exceptions to IPPs 10.1 and 11.1 

The general rules set out in IPPs 10.1 and 11.1 state that an agency: 

e may only use personal information for the particular purpose for which it obtains that information 
(10.1), and 

e may only disclose personal information to the person the information is about, and not to any other 


person or organisation (11.1). 


Clearly, fair and effective administration of government programs would be impossible if these rules were 
absolute. So, a number of exceptions in IPPs 10.1 and 11.1 list situations in which an agency may: 


e use personal information for another purpose, or 
e disclose personal information to someone other than the person the information is about. 


When the exceptions apply 


A use does not breach IPP 10.1, and a disclosure does not breach IPP 11.1, if: 


e the person the information is about consents to the use or disclosure: 
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exceptions 10.1(a) and 11.1(b) 

e the use or disclosure is necessary to protect against a serious and imminent threat to a person's life or 
health: 
exceptions 10.1(b) and 11.1(c) 

e the use or disclosure is required or authorised by law: 
exceptions 10.1(c) and 11.1(d) 

e the use or disclosure is reasonably necessary to enforce the criminal law or a law imposing a pecuniary 
penalty, or to protect public revenue: 
exceptions 10.1(d) and 11.1(e) 


As well... 
A use does not breach IPP 10.1 if: 


e the use is directly related to the purpose for which the agency obtained the information: 
exception 10.1(e) 


A disclosure will not breach IPP 11.1 if: 


e the person the information is about has been told in a valid IPP 2 notice, or is otherwise likely to know, 
that that kind of disclosure is commonly made: 
exception I1.1(a) 


How the exceptions should be used 


Where an exception applies, the agency should consider the spirit as well as the letter of the Act. The 
agency should: 


e seek to disclose, or to use, no more personal information than is necessary, and 
e aim to give the person the information is about as much control as possible over their personal 
information. This can be done by: 
- being as open as possible with that person, and 
- seeking their consent to a use or disclosure whenever that is practical _ even if an exception not 
requiring their consent is available, and 
- giving them a full and informative IPP 2 notice so that they know how the personal information 
they provide will be handled. 


Which exceptions are the most reliable? 
The best exceptions to rely on are the "consent" exceptions in IPPs 10.1(a) and 11.1(b). The agency can 
safely use or disclose personal information under these exceptions if the person the information is about 


clearly understands the use or disclosure they are consenting to, and they are not forced to consent. 


The "required or authorised by law" exceptions in IPPs 10.1(c) and 11.1(d) are also reliable. If a use or 
disclosure is specifically required or authorised by a relevant law, the agency can safely proceed. 


IPPs 10.1(b) and 11.1(c), the "life and health" exceptions, should only be used in emergency situations. 
They should not be used for routine disclosures. 
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IPP 11.1(a), the "reasonably likely to be aware or made aware" exception, should be used with care. If 
an agency relies on the "reasonably likely to be aware" part of the exception, it must make a difficult 
judgment about what the person the information is about is reasonably likely to know. Often, it is safer to 
obtain the consent of that person and to rely on IPP 11.1(b). 


IPP 10.1(e), the ‘directly related purpose" exception, should also be used with care. If an agency relies 
on this exception, it must judge if the purpose for which it obtains the personal information is directly 
related to the purpose for which it wants to use the information. 


IPPs 10.1(d) and 11.1(e), the "law enforcement and revenue protection" exceptions, are likely to be the 
most difficult for an agency to rely on. They require careful judgments about what is "reasonably 
necessary" to achieve a particular purpose. They should be used as little as possible. 


Applying the exceptions to data-matching 
Data-matching involves taking personal information from one database and comparing it with personal 


information from another database. The aim is usually to identify people common to both databases 
whose circumstances suggest that they should be subject to further investigation or other action. 
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Data-matching poses particular risks to the privacy of people's personal information. It usually involves 

disclosing personal information about large numbers of people, most of whom are of no interest to the 

agency conducting the matching. 

To supplement the IPPs as they apply to data-matching, the Privacy Commissioner has issued Guidelines 
for the use of data- matching in Commonwealth administration, available from his office. These guidelines 


are voluntary, but the Privacy Commissioner encourages agencies to follow them. 


Note that the Data-matching Program (Assistance and Tax) Act imposes special requirements on 
agencies involved in data-matching that falls within that Act. 


Exceptions 10.1(a) and 11.1(b) 
- consent by the individual concerned 


What are the guidelines on exceptions 10.1(a) and 11.1(b)? 
Guideline 14 __ gives the text of exceptions 10.1(a) and 11.1(b) 

Guideline 15 _ explains that consent must be informed and given freely 
Guideline 16 —_ discusses implied and express consent 

Guideline 17 __ tells you who must give, and who may obtain, consent 


14 What do exceptions 10.1(a) and 11.1(b) say? 


The text of exception 10.1(a) is: 

... [unless] the individual concerned has consented to use of the information for that other purpose 
The text of exception 11.1(b) is: 

... [unless] the individual concerned has consented to the disclosure 
Meaning of exceptions 10.1(a) and 11.1(b) 


Exception 10.1(a) allows an agency to use personal information for any purpose if the person the 
information is about consents to it being used for that purpose. 


Exception 11.1(b) allows an agency to disclose personal information for any purpose if the person the 
information is about consents to it being disclosed for that purpose. 


15 Consent (whether implied or express) must be informed and free 
Informed consent 


If an agency wants to use exception 10.1(a) or 11.1(b), it must be able to show that the person the 
information is about: 


e is accurately informed of what they are consenting to, or 
e can reasonably be assumed to understand what they are consenting to, at the time they consent. 
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This may require the agency to take special measures, for example, when seeking consent from a person 
who has difficulty with English. 


The agency must explain clearly what consent it seeks 


The agency must take all reasonable steps to ensure that the person the information is about fully 
understands what they are consenting to. This includes: 


e the personal information that may be used or disclosed 

e the purpose for which it is to be used or disclosed, and to whom it is to be disclosed _ identified as 
specifically as possible 

e what happens if consent is not given. 


An agency should not seek a broader consent than is necessary for its purposes 


Vaguely worded consents that may be interpreted as covering any use or disclosure make it difficult for 
the agency to show that the person the information is about has consented to the particular use or 
disclosure in question. 


Words like "may disclose ... to other bodies as appropriate" are not acceptable because they do not give 

the person consenting a clear idea of what they are consenting to. Relying on phrases like these may result 
in the agency breaching the IPPs. So an agency should not seek a broader consent than is necessary for 
its purposes. 


Free consent 


If an agency wants to use exceptions 10.1(a) and 11.1(b) then the person the information is about must 
freely consent to the use or disclosure. 


A "consent" from a person who has or reasonably believes they have no real choice but to consent, is not 
adequate for exceptions 10.1 (a) or 11.1 (b). 


For example: if the person the information is about knows or believes that serious adverse consequences 
will follow if they refuse to consent, any consent they give is not freely given. An agency should not suggest 
that it is obtaining consent if the person the information is about has no practical alternative but to consent. 


How can an agency tell if a person has no effective choice but to consent? 


In deciding if consent is adequately free, an agency should take into account these factors (if it is aware of 
them): 


the extent to which the person the information is about is able to influence the way in which an agency 

handles the information 

e the alternatives open to the person the information is about, if they choose not to consent 

e any serious financial consequences (judged from what the agency can reasonably infer from the 
circumstances of the person the information is about) that could flow from refusing to consent 
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For example: what would be a serious financial consequence for an aged pensioner may not be for some 
other members of the community. 


e any undesirable social consequences, such as embarrassment, if they refuse to consent 
e adverse consequences for family members or other intimates if they refuse to consent. 


What an agency should do if a person cannot freely consent 


If a person cannot freely consent to the agency disclosing their personal information, the agency 
should not try to rely on exception 11.1 (b) and seek an empty "consent" from that person. 


If the disclosure is usual practice, the agency should instead: 


e tell the person that the disclosure is the agency's usual practice, and 
e rely on exception 11.1(a). 


For example: if a benefit agency: 

e seeks consent from its client to use personal information it obtained for another purpose, to check 
the client's eligibility for income support benefits, and 

e makes it clear that benefits will be withdrawn if consent is not given,then any consent given by the client 
is not adequate for exception 11.1 (b). 


Consent can be revoked at any time 


Consent is only valid if it is current. A person can consent to a use or disclosure and then later withdraw 
their consent. 


For example: 


¢ someone who has split up with their spouse may no longer consent to disclosures to the spouse 
e ayoung person who has moved away from home may no longer consent to disclosures to their parents. 


An agency must be sure that the consent is current before relying on it. 

16 Must consent be express - or is implied consent sufficient? 

Implied consent 

The Privacy Act defines "consent" to include "implied consent" (section 6(1)). 
An implied consent may be valid - but if an agency relies on implied consent, it must make a difficult 
judgment about what a person may think in particular circumstances or what a person may mean by a 


particular action. Wrong decisions can lead to serious breaches of privacy. 


As a general rule, the Privacy Commissioner advises agencies to get the person the information is about to 
take positive action to express their consent. 


Examples of implied consent: 
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e A person gets their member of parliament (MP), doctor, or solicitor to write to an agency about a 
particular matter. The person impliedly consents to the agency replying, including with any personal 
information about the person, to the MP, doctor, or solicitor. 


The Privacy Commissioner has released guidelines for Commonwealth agencies providing personal 
information to MPs. They are available in the Federal Privacy Handbook (loose-leaf service) or from the 
Privacy Hotline: 1300 363 992 


e A person who sends a letter of complaint to an agency copies the letter to their representative in the 
matter. The person may be taken to impliedly consent to the agency disclosing relevant personal 
information to the representative. 


Note these points about implied consent: 


e Anagency should not normally assume that the person the information is about has consented to a use 
or disclosure simply because they have not objected. 

e An agency does not establish implied consent by showing that, if the person the information is about 
knew of the use or disclosure and the benefits it would bring them, they would probably consent to it. 

e Anagency must not assume that the person the information is about has consented to a use or 
disclosure _ just because the use or disclosure seems advantageous to that person. 

e Anagency must not assume that a person consents to the disclosure of their personal information to 
their spouse or family members. The agency can only disclose the personal information to these 
people if the person the information is about consents to the disclosure. Although in many cases a 
person may approve of a disclosure to a requesting spouse or family member, this is not always so. 


For example: An agency should be especially careful when a couple is going through divorce or 
separation. In this situation, disclosing information about one party to the other may constitute a very 
serious breach of privacy. A number of these types of cases have been the subject of formal complaints to 
the Privacy Commissioner. 


e The more sensitive the personal information, the stronger the case for obtaining express consent. 
Sensitive personal information may be used or disclosed on the basis of implied consent, but only if 
the implication is unambiguous. 

e tis dangerous for an agency to assume how a particular person may view a set of circumstances: 


For example: 


e Ifa person appeals to an agency that handles complaints, that agency should not assume that the 
person would consent to it disclosing personal information to the agency's State or Territory 
counterparts. The agency must check with the person to see if this use or disclosure is acceptable. 

e Anagency should not assume that because an applicant for a particular benefit consents to their 
referee knowing some personal information about them, they consent to all related information being 
disclosed to the referee. An agency can only assume a person consents to the extent that there is 
conclusive evidence of consent. 


How to obtain express consent 


What is the best evidence of genuine consent? 
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The best evidence of genuine consent is given when a person has to do something deliberate to indicate 
they consent (for example, write a letter, tick a consent box or sign a statement saying they consent). 


A clearly worded letter of consent signed by the person the information is about is a good way to get 
consent. 


If an agency is using a form to get consent it should make it as easy as possible for the person to exercise 
their choice about whether or not to consent. The agency can use: 


¢ aconsent box that is ticked to show consent or left blank to show no consent, and a single signature 
space at the foot of the form that applies to the consent box and other material in the form. This 
approach is usually feasible. 


Here is a text for a consent box that the Privacy Commissioner would regard as providing adequate 
assurance of informed consent: 


If you consent, we can advise the Department of X, Y and Z of your new level of 
benefits. This will ensure that the Department does not make any overpayment to you 
(which you would have to pay back later). 


We can only do this if you consent. Do you consent? (please tick one box only) 


No 


e noconsent box, but a separate signature space for consent. This is especially desirable for more 
sensitive personal information 


Obtaining consent at the time personal information is obtained 


An agency should obtain any necessary consent from the person the information is about, at the time it 
obtains the information. If this is not possible (for example, if the program being administered changes in 
some way that requires a new consent) an agency may seek consent during routine contact with the 
person the information is about, such as billing. 


Oral consent may be acceptable in some circumstances 


Written consent is the best evidence of express consent because what the person has consented to is more 
likely to be clear. But an oral consent may be an acceptable form of express consent if: 


e an officer of the agency hears the consent personally and makes a signed record of it (because it is 
difficult to establish that an oral consent has been given if there is no record of it), and 


e the agency is satisfied that the person giving the oral consent is the person the information is about. 


An agency should have a policy about the types of uses and disclosures for which it will accept oral 
consent, and the types for which it requires written consent. 


17 Who must consent, and who must obtain that consent? 
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Who must consent to the use or disclosure? 


The individual concerned must consent 


The "individual concerned" is the person who is the subject of the personal information that is to be used 
or disclosed. Normally, this is the person who must consent to the use or disclosure. 


Consent by third parties 
Sometimes a third party (for example, a parent or guardian) may consent to a use or disclosure on behalf 
of the person the information is about _ but only if the person the information is about is not able to consent 


themselves. 


For example: the person the information is about may be a young child, or a person with a disability or 
condition that prevents them consenting. 


If someone under 18 years of age is sufficiently old and mature to consent on their own behalf, it may not 
be appropriate to rely on a consent given by another person. 


Sometimes legislation may say that a third party can consent on behalf of the person the information is 
about. 


In deciding if it should rely on consent from a third party, an agency should consider: 


e the legal situation 
e the interests of the child or person the information is about. 


The agency should not assume that a third party needs to consent on behalf of the person in all cases, just 
because it was appropriate in one case. 


What if the information is about more than one person? 


If a single piece of information constitutes personal information about more than one person, all of those 
people must consent to the use or disclosure of that piece of information. 


For example: if an agency holds the information that A and B lived in a marriage-like relationship for a 
particular period, that is personal information about both A and B. If the agency wanted to use or 
disclose that information under exceptions 10.1(a) or 11.1(b), it would have to obtain consent from both A 
and B. 


Disclosing to representatives of the person the information is about 
If the person the information is about consents, an agency may disclose their personal information to 
that person's representative (for example, their lawyer, tax agent, or Member of Parliament, or their 


representative from a welfare agency.) 


An agency must make sure the person is truly a representative 
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An agency must make sure that the person the information is about truly has consented to it disclosing the 
personal information to the representative. The best evidence of consent is a clear written consent from 
the person the information is about. The more sensitive the personal information, the stronger the case for 
requiring written consent. 


An agency must verify the identity and authority of apparent representatives. If the person the information 
is about has not given a signed authority, the agency may rely on other evidence that shows the apparent 
representative is a true representative. The agency must judge what evidence is adequate in this situation. 
Evidence may include the agency's previous contact with a representative. 
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An agency should have a clear policy on when staff may disclose personal information to an apparent 
representative. 


An agency must only disclose the information consented to 


An agency should make sure it only discloses the information that the person the information is about 
consents to _ that is, personal information that the client could reasonably expect the agency would give 
to their representative. 


For example: 


e if a lawyer is representing a person in a complaint against an agency, the agency can assume that the 
person has consented to it disclosing to the lawyer personal information about the complaint itself. 
The agency cannot assume that the person consents to it disclosing other personal information, like 
the history of the person's relationship with the agency. 


¢ aperson may give someone a power of attorney concerning particular matters only. 


An agency should have a clear policy on the type and amount of information that it can disclose in different 
situations. 


Frequent dealings with representatives 


If an agency often deals with representatives, it should consider asking all new clients to identify the people 
to whom their personal information may be disclosed. 


Obtaining consent to the disclosure if disclosing to a third party 


If a third party is asking the agency to disclose personal information, it is usually the agency (not the 
third party) that must obtain the consent to that disclosure from the person the information is about. 


This is because the disclosing agency is responsible for making sure that the person the information is 
about consents to the disclosure, within exception 11.1(b). Although the agency can accept evidence from 
the third party that this is so, the safest course for the agency is to obtain the person's consent itself. 


Exception 11.1(a) 
- aware the disclosure is usual practice 


What are the guidelines on exception 11.1(a)? 


Guideline 18 _ gives the text of exception 11.1(a) 

Guideline 19 —_ explains when a person is "reasonably likely to have been aware" 

Guideline 20 —_ explains when a person is "reasonably likely to have been made aware under IPP 2" 
Guideline 21 __ tells you when the person needs to be aware that the disclosure is usual practice 
Guideline 22 —_ explains "usually passed on" 

Guideline 23 explains "information of that kind" 

Guideline 24 — explains "that person, body, or agency" 
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18 What does exception 11.1(a) say? 
The text of exception 11.1(a) is: 


... [unless] the individual concerned is reasonably likely to have been aware, or made aware under 
principle 2, that information of that kind is usually passed to that person, body or agency. 


Meaning of exception 11.1(a) 
Note: this exception applies only to disclosures. 


Exception 11.1(a) allows an agency to disclose personal information to someone other than the person 
the information is about, or to an organisation or agency, if: 


e at the relevant time (guideline 21) 
e the person the information is about is reasonably likely: 
e to have been aware (guideline 19), or 
e to have been made aware under IPP 2 (guideline 20) 
e that the agency usually discloses (guideline 22) 
e that kind of information (guideline 23) 
e to the person, organisation, or agency, to whom it is to be disclosed (guideline 24). 


The test is what is reasonably likely, not what is actually so 
The test is whether the person the information is about is reasonably likely to have been aware, or made 


aware under IPP 2 - not whether they actually have been aware or made aware. A person may be 
reasonably likely to be aware even if actually they are not aware. 


19 When is a person "reasonably likely to have been aware''? 
Factors to take into account 


The disclosing agency must be able to explain why it thought the person was reasonably likely to have 
been aware. In practice, the agency must work this out case by case. In doing so, it should take into 
account: 


e the relationship that the person the information is about has with the agency 


For example: if the person the information is about asks a welfare agency to arrange for another agency 
to provide them with a service, that person is reasonably likely to be aware that the welfare agency will 
pass relevant personal information to that other agency. 


### the occupation of the person the information is about 
e — the life experience of the person the information is about 


For example: a public servant of long standing is reasonably likely to be aware of routine flows of 
personnel information. For example, that their personnel file follows them when they transfer to another 
agency. 
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e the previous actions of the person the information is about. 


For example: the person may have written a letter or had other contact with the agency that indicates 
they are aware of a usual disclosure practice. 


Do not assume too much about what people are likely to be aware of 


As a general rule, it is important not to assume too much about what people are likely to be aware of. Most 
people know little about the mechanics of Commonwealth administration. 


An agency might find it useful to consult with its client groups to find out what can reasonably be assumed 
about the knowledge of a group as a whole. 


When it may be obvious or common knowledge that a disclosure is usual 


A person is considered to be reasonably likely to have been aware that a particular disclosure is usual if it 
is obvious or common knowledge that it is usual. 


For example: 

¢ aperson involved in administering a government program is reasonably likely to be aware of 
disclosures that are an ordinary part of the functioning of the program. But a member of the general 
public is not reasonably likely to be aware of much about the ordinary functioning of a program, 
especially since this changes with changes in policy, technology, agency responsibilities and so on. 

e aperson who complains publicly about an agency in relation to their circumstances (for example, to 
the media) is considered to be reasonably likely to be aware that the agency may respond publicly - 


and in a way that reveals personal information relevant to the issues they have raised. 


e aperson who sends a letter to the wrong Minister is reasonably likely to be aware that the letter will be 
forwarded to the Minister who has responsibility for the subject of the letter. 


20 When is a person ''reasonably likely to have been made aware under IPP 
Ota 4 


For a person to be "reasonably likely to have been made aware" under IPP 2, they must have been given a 
valid IPP 2 notice. 


See guideline 12 of the Plain English Guidelines to IPPs 1-3 to find out what constitutes a valid IPP 2 
notice. These guidelines are available on the Commonwealth Managers’ Toolbox (CD ROM). 


21 When must the person be aware or have been made aware? 
When must the person "have been aware"? 


If the agency is relying on this part of exception 11.1(a), it must show that the person the information is 
about is reasonably likely to be aware that the disclosure is usual practice at the time of the disclosure. 


When must the person ''have been made aware under IPP 2''? 
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If the agency is relying on this part of exception 11.1(a), it must have given the person the information is 
about a valid IPP 2 notice at the time they provided the personal information - or, if that is 
impractical, as soon as practical afterwards. 


If an agency wants to use a new disclosure practice that it has not told people about in its IPP 2 notices, 
then it should rely on the "consent" exception in IPP 11.1(b), or the "required or authorised by law" 
exception in IPP 11.1(d). 


22 Meaning of "usually passed on" 


For exception 11.1(a) to apply, the person the information is about must be reasonably likely to have been 
aware, or have been made aware, that the personal information they give the agency is of a kind that the 
agency "usually passes on". This requirement is discussed in more detail in the Plain English Guidelines 
to IPPs 1-3, guideline 13. 


In summary, an agency "usually passes on" personal information to another body if it is the agency's 
normal practice to disclose some or all of that type of personal information to that body. So, an agency 
"usually passes on" personal information to another body if: 


e it is the agency's normal practice to disclose all of that type of personal information to that body, or 
e the agency discloses only some of that type of personal information to that body but it is its normal 
practice to do so. 


"Usually passing on" does not include disclosing information only in exceptional situations. 


For example: Information is not normally considered to be "usually passed on" if it is given to police in 
response to a search warrant, or to a court in response to a subpoena. 


23 Meaning of "information of that kind" 


An agency should only disclose information that the person the information is about could reasonably be 
expected to be aware would be disclosed. 


If the person is made aware through a valid IPP 2 notice, the "information of that kind" requirement is 
usually satisfied because a valid IPP 2 notice usually sets out clearly which information obtained is usually 


disclosed. 


See guideline 12 of the Plain English Guidelines to IPPs 1-3 to find out what constitutes a valid IPP 2 
notice. These guidelines are available on the Commonwealth Managers' Toolbox (CD-ROM). 


If an agency obtains personal information from a person in a less structured way (for example, through a 
wide-ranging interview with them), it should tell that person clearly: 


e what kind of personal information it usually discloses 


For example: the agency could say that it may disclose to another body information that identifies people 
and information on the level of benefits that people receive. 
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e what sort of personal information (if any) it will not disclose. 
24 Meaning of "that person, body, or agency'"' 


An agency must tell the person the information is about, to whom it usually discloses that kind of 
personal information. The agency must do this as clearly and specifically as possible. This requirement is 
satisfied when the person is aware of the precise identity of that "person, body, or agency". So the agency 
should try to name the "person, body, or agency" whenever possible. 


But 11.1(a) may sometimes apply even if the agency does not tell the person the information is about, the 
specific name of the "person, body, or agency”. 


For example: if the agency intends disclosing the personal information to a number of bodies of the 
same type, it need only tell the person the type of body involved (for example, State Education 
Departments). 


What if an agency changes its name? 


If a person is told that their personal information may be disclosed to a specific agency which later 
changes its name (for example, because of a change in ministerial arrangements), a disclosure to the 
agency under its new name still falls within exception 11.1(a) if the purpose for disclosing the information is 
unchanged. 


What if an agency transfers its function? 


If a person is told that their personal information may be disclosed to a specific agency, and that 
agency later transfers the function (that gives rise to the disclosure practice) to: 


e anew agency - then a disclosure to the new agency may still fall within exception 11.1(a) if: 


- the purpose for disclosing the personal information to the new agency is exactly the same as for 
the old agency, and 
- the new agency uses the personal information for no other purpose. 


For example: If an agency tells the person the information is about that their personal information may 
be disclosed to the Wombat Tunnels Disputes Board, but wombat tunnel disputes are now handled by a 
unit in the Native Animal Agency (NAA), exception 11.1(a) may apply to a disclosure to the NAA. But 
NAA must use the personal information for the sole purpose of resolving wombat tunnel disputes. 


e astate government body or a private organisation _ then the disclosing agency should rely on the 
"consent" exception in IPP 11.1(b) or the "required or authorised by law" exception in 11.1(d). 


Exceptions 10.1(b) and 11.1(c) 
- threat to life or health 


What are the guidelines on exceptions 10.1(b) and 11.1(c)? 


Guideline 25 __ gives the text of exceptions 10.1(b) and 11.1(c) 
Guideline 26 —_ explains what "reasonable grounds" are 
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Guideline 27 _ explains "necessary to prevent or lessen" 
Guideline 28 — explains what a "serious and imminent threat to life or health" is 
Guideline 29 __ tells you whose life or health must be threatened 
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25 What do exceptions 10.1(b) and 11.1(c) say? 


The text of exception 10.1(b) is: 
... [unless] the record-keeper believes on reasonable grounds that use of the information for that other 
purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the 
individual concerned or of another person 

The text of exception 11.1(c) is: 
... [unless] the record-keeper believes on reasonable grounds that the disclosure is necessary to 
prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of 
another person 

Meaning of exceptions 10.1(b) and 11.1(c) 

Exception 10.1(b) allows an agency to use personal information if: 

e it reasonably believes (guideline 26) 

e that this is necessary to prevent or lessen (guideline 27) 

e the threat of death or serious injury (guideline 28) 

e to the person the information is about, or some other person (guideline 29). 

e The threat must be serious and about to happen (guideline 28). 

Exception 11.1(c) allows an agency to disclose personal information in the same circumstances. 


Only use these exceptions in an emergency 


Only use these exceptions in an emergency, when someone is at serious risk that demands immediate 
action. 


For example: if an outbreak of typhoid is connected with contaminated food on an aeroplane, immediate 
access to the latest available address information may be necessary: 


- to trace possible carriers of the disease, and 
- to enable preventive treatment to be given to people who may have come into contact with the 


carriers. 


An agency should not use these exceptions to justify any class of routine uses or disclosures, even if 
those uses or disclosures are aimed at reducing serious threats to life or health. 


26 What are "reasonable grounds"? 
Note that "reasonable grounds" for believing that something is the case does not mean that something must 
actually be the case. This is consistent with the common law on confidentiality, which allows a disclosure 


of personal information to appropriate authorities if: 


e honestly made, and 
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e made in the reasonable belief that it is likely to relieve a serious and imminent threat to a person's life or 
health. 


The agency is responsible for deciding whether or not there are reasonable grounds for using or disclosing 
the personal information. 


An agency should have guidelines on: 

e the appropriate level of seniority in the agency at which decisions can be made about whether or not 
there are reasonable grounds, and 

e the range of matters that should be taken into account when deciding whether or not there are 


reasonable grounds. These include: 


- the source and reliability of the information that indicates a threat to life or health, and 
- the seriousness of the indicated threat. 


If there is a complaint or a privacy audit, the Privacy Commissioner (or ultimately, the Federal Court) must 
judge whether or not the grounds for using or disclosing the personal information are reasonable. 


27 Meaning of "necessary to prevent or lessen" 

The agency must reasonably believe that the use or disclosure is necessary to: 

e prevent the threat, or 

e lessen the threat to a noticeable extent. These exceptions are unlikely to apply to a use or disclosure 
that only marginally lessens a risk. 

An agency must consider if there are reasonable alternatives 

Using or disclosing personal information, even to prevent or lessen a serious threat to health or life, may 


significantly disadvantage the person the information is about. If this is the case, an agency should seriously 
consider if there are any effective alternatives available that do not have this consequence. 


28 What is a ''serious and imminent threat to life or health''? 
"serious" 


The threat must be serious. What is a "serious threat" depends on the particular circumstances of each 
case. 


As a guideline: 

e anexplicit threat of murder or assault is certainly a serious threat 

e a threat of infection with a life-threatening condition is usually a serious threat. 

e aspecific threat of physical harm to a particular officer in an agency usually counts as a serious threat. 


(Abuse directed to staff in general does not usually count as a serious threat.) 


"imminent" 
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This means that the threatened harm must be about to happen. 
"threat to life or health" 
The threat must be to an individual's body. So there must be a threat of bodily injury, illness, or death. 
Threats of contracting (or being denied effective treatment for) a serious medical condition are also threats 
to life or health. 
Threats to finances or reputation are not threats to life or health. 


29 Whose life or health must be threatened? 


The threat does not have to apply to an identifiable person. It may be a threat of serious harm to be 
randomly inflicted, so that it is impossible to tell who exactly the threat is directed at. 


Exceptions 10.1(c) and 11.1(d) 
- required or authorised by law 


What are the guidelines on exceptions 10.1(c) and 11.1(d)? 


Guideline 30 gives the text of exceptions 10.1(c) and 11.1(d) 
Guideline 31 discusses getting advice on when exceptions 10.1(c) and 11.1(d) apply 


Guideline 32 explains "law" 
Guideline 33 explains "required by or under law" 
Guideline 34 explains "authorised by or under law" 


Guideline 35 explains how to make sure you comply with exceptions 10.1(c) and 11.1(d) 
30 What do exceptions 10.1(c) and 11.1(d) say? 
The text of exception 10.1(c) is: 
[unless] ... use of the information for that other purpose is required or authorised by or under law 
The text of exception 11.1(d) is: 
[unless] ... the disclosure is required or authorised by or under law 
Meaning of exceptions 10.1(c) and 11.1(d) 


Exception 10.1(c) allows an agency to use personal information for any purpose that the law requires 
or authorises. 


Exception 11.1(d) allows an agency to disclose personal information if the law requires or authorises 
that disclosure. 


31 Getting advice on when exceptions 10.1(c) and 11.1(d) apply 
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It is ultimately up to the agency to identify powers that may fall within this exception and, if necessary, to 
obtain appropriate legal advice. 


32 What is "law"' for the purposes of 10.1(c) and 11.1(d)? 
What is "law''? 


N.B. the shaded sections inserted on 1/4/03 to clarify the interactions between Commonwealth and 
State/Territory law, were further amended on 6/6/03. Some references in this section to Commonwealth 
agencies and their interactions with third parties may not be relevant to the ACT. 


Law means the law of the Commonwealth jurisdiction. For the purposes of exceptions 10.1(c) and 
11.1(d), the following are "law" 


¢ Commonwealth Acts 
¢ Commonwealth delegated legislation 


For example: regulations, determinations. 


Note_Where a State/Territory has validly legislated to bind the Commonwealth, these State/Territory laws 
are also considered ‘law’. The question of whether a State/Territory has validly legislated to bind the 
Commonwealth is often a complex one. It is therefore advisable for a commonwealth agency to seek legal 
advice if unsure whether it is bound by State/Territory law in the given circumstances. 


e documents with the force of Commonwealth law 


For example: industrial awards. These documents are not law, but are given the force of law by an Act of 
Parliament (for example, the Industrial Relations Act). 


e A document may have the "force of law" if: 


- itis an offence to breach its provisions, or 
- it is possible for a penalty to be lawfully imposed if its provisions are breached. 


e Disclosures to Commonwealth Ministers 


An agency subject to the direction of a Minister is normally bound to provide them with any information 
they request that is consistent with their ministerial responsibilities. But some agencies (especially 
independent statutory agencies) are subject to strict legislative duties of secrecy that may restrict 
disclosures of personal information to the Minister. 


For example: 
- Disclosure to any Minister of an individual taxpayer's affairs is limited by the Income Tax 
Assessment Act 
- Disclosure of information about complaints to the Ombudsman is limited by the Ombudsman Act. 


e Commonwealth Parliamentary privilege 
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One aspect of Parliamentary privilege is that Parliament has the power to make people (and agencies) 
provide it with information. This power is not set out in the Australian Constitution or any Act of Parliament 
- but it is another source of lawful authority. With this power, Parliament can require people and agencies 
to answer Parliamentary questions and provide information to Parliamentary Committees. The Privacy Act 
does not stop an agency disclosing personal information in either of these situations. 


However, if the Privacy Act would prohibit the disclosure were it not for Parliamentary privilege, it may be 
appropriate for the agency to approach its Minister with any concerns it has about disclosing the personal 
information. If the proposed disclosure is to a Committee, the Minister may be able to find out from the 
Committee if the disclosure is really necessary. Alternatively, the Minister may be able to arrange for the 
personal information to be disclosed confidentially. Most Committees (except Senate Estimates 
Committees) can receive confidential evidence. 


Parliamentary privilege does not apply to requests for information from agencies made by Members or 
Senators acting on behalf of their constituents. 


What is not "law''? 


Agencies often try to justify uses or disclosures on the basis that they are required or authorised by the 
following, but normally these are not acceptable: 


estate law 


Where a State/Territory has validly legislated to bind the Commonwealth, these State/Territory laws are 
also considered ‘law’ (see note in What is Law?). 


For example: in the service and execution of court process, the Commonwealth has bound itself to 
comply with properly issued process from state courts (writs, subpoenas, search warrants, etc). 


¢ common law (which consists of broad statements of legal principle and is made by judges - as opposed 
to statute law which is legislation made by Parliament) 


But, in some limited circumstances common law duties may arise. The Privacy Commissioner has 
occasionally accepted that a disclosure is necessary to satisfy requirements imposed by the common law 
principle of natural justice. But these cases are expected to arise rarely. 

e requests for personal information from foreign governments 

International requests for information are not usually for personal information. If they are, they only fall 
within exceptions 10.1(c) or 11.1(d) if there is a Commonwealth law that requires or authorises the 
agency to provide personal information in those circumstances. Similarly, treaty obligations only fall 
within these exceptions if there is a Commonwealth law that enacts that obligation. 


e Cabinet decisions 


Although Cabinet decisions very often set in motion the machinery for making laws, they are not themselves 
law. 


e inter-agency agreements and contracts between an agency and other parties 
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But, the terms of these agreements and contracts may fall within exceptions 10.1(c) and 
11.1(d) if an Act of Parliament (or other legislation) specifically gives them the force of law. 


33 Meaning of ''required by law'' 
When does a law require an agency to use information for another purpose? 


A use for another purpose is usually required by law if legislation governing the using agency specifically 
requires it to use the personal information for a purpose different from that for which it is obtained. 


An agency may also be required by law to use personal information for another purpose if: 


e the agency is governed by legislation that requires it to perform a specific function, and 
e the only possible way the agency can perform that function is by using the particular information for a 
purpose different from that for which it was obtained. 


When does a law require an agency to disclose information? 


An agency is required by law to disclose personal information if a law governing it specifically requires 
it to disclose information. 


For example: a law may require an agency to reveal relevant personal information to a review tribunal 
or to a person seeking a review of a decision. The agency must comply with this law _ although if the law 
also gives the agency a discretion to withhold specific information, it should exercise that discretion where 
appropriate. 


An agency is also required by law to disclose personal information if: 


e legislation governing the agency to whom the information is to be disclosed (the "receiving agency") 
gives that agency power to require the specific information to be disclosed, and 

e the receiving agency exercises its power to require the disclosure by formally advising the disclosing 
agency that it is exercising that power (for example, by issuing a notice to the disclosing agency). 


34 Meaning of ‘authorised by law" 

There is a difference between "required by law" and "authorised by law". If an agency is required by law 
to use or disclose personal information, it has no choice in the matter. If an agency is authorised by law 
to use or disclose personal information, it has a discretion as to whether it will do so. 


When does a law authorise an agency to use information for another purpose? 


A use for another purpose is a use for a purpose different from that for which the personal information is 
obtained. 


A law authorises a use for another purpose if legislation governing the using agency clearly and 
specifically gives it a discretion to use the personal information for that purpose. The agency must be 
able to point to a specific relevant discretion in the legislation governing it. 
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A use is not authorised (within 10.1(c)) by a section in an Act that gives a public office holder a general 
discretion "to do any thing necessary or convenient to be done for or in connection with" their functions. 


A use is also not authorised just because there is no law prohibiting it. If it were, almost any use would be 
authorised by law and IPP 10.1 would be ineffective. 


When does a law authorise an agency to disclose information? 


A law authorises a disclosure if legislation governing the disclosing agency clearly and specifically gives it 
a discretion to disclose the personal information. The disclosing agency must be able to point to a 
specific relevant discretion in the legislation governing it. It is not enough for the receiving agency to show 
that the personal information is relevant to its lawful functions. 


A disclosure is not authorised (within 11.1(d)) by a section in an Act that gives a public office holder a 
general discretion "to do any thing necessary or convenient to be done for or in connection with" their 
functions. This is the case whether the section applies to the disclosing or receiving agency. 


If legislation governing a disclosing agency prohibits a disclosure, the agency cannot make that disclosure 
- even if legislation governing the receiving agency gives it a general discretionary authority to obtain the 
personal information. 


A disclosure is not authorised by law just because there is no law prohibiting it. If it were, almost any 
disclosure would be authorised by law and IPP 11.1 would be ineffective. 


Can a law impliedly authorise a use or disclosure? 


A use or disclosure may fall within 10.1(c) or 11.1(d) if the law requires or authorises a function or 
activity that clearly and directly entails the use or disclosure. Here, the use or disclosure is impliedly 
authorised by law because it is essential to effect a scheme the law lays down. 


For example: 


e An industrial law says that a union must conduct an election for OHS representatives and that this must 
be an election of all people in the work place (not just union members) and that it must be by postal 
ballot. It is impossible for this law to be complied with unless the employing agency is able to tell the 
union the names and addresses of its non-union employees. 


e Where a function is wholly transferred from one agency to another, disclosures made by the old 
agency to the new agency are necessary to give effect to the new administrative arrangements. Note 
that this does not permit the new agency to use the personal information for a purpose other than 
that for which it is obtained. 


e Ifa law authorises an agency to obtain personal information, it authorises disclosures that are an 
inseparable part of obtaining it. For example, telling the person from whom you are obtaining 
information the name of the person about whom you are asking. 


35 Making sure the terms of 10.1(c) and 11.1(d) are met 


Identify the law that requires or authorises the use or disclosure 


Before an agency relies on these exceptions to use or disclose personal information, it should identify 
exactly what law requires or authorises that use or disclosure. 


A requesting agency should identify the law that supports its request 


If a disclosing agency is responding to a request from another agency or body, the requesting agency 
needs to be specific about what law authorises or requires the disclosure. 


The disclosing agency should insist that the requesting agency quote the relevant provision, or at least give 
a precise reference to the provision. Vague statements like "I am of the opinion that this information is 
required in the interests of the Commonwealth" are insufficient and a disclosing agency should not accept 
them. 


Develop guidelines or forms to deal with regular requests for disclosure 
Developing guidelines 


If an agency is regularly requested to disclose personal information, it should develop guidelines to deal 
with those requests. 


Matters these guidelines could set out include: 


e the sort of personal information that can be released in response to requests under commonly 
encountered laws, and 

e the sort of evidence needed to establish that a particular law does in fact authorise or require the 
agency to disclose the requested personal information. 


Developing forms 


If the volume of requests is great enough, it may be worth developing a form (or other formal recording 
system) to record the details of the request, including: 


e the name of the organisation and the individual in that organisation making the request 
e the date of the request and the disclosure 

e aspecific reference to the legislation that requires or authorises the disclosure 

e the name of the person (or people) whose personal information is disclosed 

e adescription of the personal information disclosed. 


Monitoring by senior officers 


An agency minimises the risk of breaching IPP 11.1 if a centrally located and appropriately senior officer 
oversees its disclosure practices under 11.1(d). This does not mean that the officer need examine every 
request. But the officer should be in a position to monitor the way that exception 11.1(d) is applied in 
practice within the agency. 


Exceptions 10.1(d) and 11.1(e) 
- law enforcement and revenue protection 


45 


What are the guidelines on exceptions 10.1(d) and 11.1(e)? 


Guideline 36 gives the text of exceptions 10.1(d) and 11.1(e) 
Guideline 37 discusses when exceptions 10.1(d) and 11.1(e) may be applied 


Guideline 38 explains "reasonably necessary" 

Guideline 39 explains what "to enforce the criminal law" means 

Guideline 40 explains "to enforce a law imposing a pecuniary penalty" means 
Guideline 41 explains what "to protect the public revenue" means 


Guideline 42 directs you to the noting requirements of IPPs 10.2 and 11.2 
36 What do exceptions 10.1(d) and 11.1(e) say? 
The text of exception 10.1(d) is: 


... [unless] use of the information for that other purpose is reasonably necessary for the enforcement of 
the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue 


The text of exception 11.1(e) is: 


... [unless] the disclosure is reasonably necessary for the enforcement of the criminal law or of a law 
imposing a pecuniary penalty, or for the protection of the public revenue 


Meaning of exceptions 10.1(d) and 11.1(e) 

Exception 10.1(d) allows an agency to use personal information if that is reasonably necessary: 

e to enforce the criminal law (guideline 39), or 

e to enforce a law imposing a financial penalty (guideline 40), or 

e to protect the public revenue (guideline 41). 

Exception 11.1(e) allows an agency to disclose personal information in the same circumstances. 
These exceptions should only apply to unusual uses or disclosures 

The Privacy Commissioner considers that an agency should rely on positive authorities given by specific 
law (see guidelines 30 to 35) wherever possible. So if an agency is governed by laws that purport to set 
out categories of all permitted uses and disclosures, it should not rely on exceptions 10.1(d) and 11.1(e) 
to expand those categories. 

37 When exceptions 10.1(d) and 11.1(e) may be applied 

An agency may want to apply IPP 10.1(d) or IPP 11.1(e) to three types of use or disclosure : 

Uses and disclosures for specific investigations 


These uses and disclosures may involve either: 


e anagency using or disclosing personal information about a particular person, reasonably believing it 
will safeguard one of the public purposes listed in the exceptions in a predictable way. 
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For example: if a person is suspected of a crime, an agency may disclose information about that person 
to an investigating body. 


e an agency using or disclosing personal information about a class of people who share a particular 
characteristic that is significant to the investigation. 


For example: it may be reasonably necessary for enforcing the criminal law to identify all the people who 
own a particular type of car. 


The Privacy Commissioner has no concerns about applying exception 10.1(d) or 11.1(e) to this sort of 
activity. 


Uses and disclosures for intelligence gathering that does not relate to a specific crime 


In safeguarding one of the public purposes listed in the exceptions 10.1(d) or IPP 11.1(e), it may be 
reasonably necessary for an agency to use or disclose information about a range of people - even though 
none of them has yet been directly linked to an unlawful activity. 


For example: Investigators may suspect that a particular building is being used in drug trafficking and may 
think it reasonably necessary for enforcing the criminal law that they gather information about people 
associated with the building - even though they do not know what part, if any, those people play in the 
suspected activity. 


Uses and disclosures for data-matching to identify people of interest 


An agency may wish to use or disclose personal information about a large group of people so that the 
information can be analysed or compared with other information to identify a few people for further action 
or investigation. 


For example: a benefit paying agency may want to disclose personal information about its clients so it 
can be compared with tax records, in an attempt to identify people claiming benefits to which they are not 
entitled. 


The Privacy Commissioner believes that exceptions 10.1(d) and 11.1(e) should not be used to justify uses 
and disclosures for this sort of data matching. (In 1987, the heads of Commonwealth law enforcement 
agencies took a similar view.) This data-matching poses particular risks to the privacy of people's 
personal information because it usually involves disclosing personal information about large numbers of 
people, most of whom are of no interest to the agency conducting the matching. 


The Privacy Commissioner strongly encourages agencies to conduct data-matching only with express 
legislative authority, which would allow them to rely on exception 10.1(c) or 11.1(d). 


To supplement the IPPs as they apply to data-matching, the Privacy Commissioner has issued Guidelines 
for the use of data-matching in Commonwealth administration, available from his office. These 


guidelines are voluntary, but the Privacy Commissioner encourages agencies to follow them. 


38 Meaning of "reasonably necessary" 
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To satisfy exceptions 10.1(d) and 11.1(e), the disclosing or using agency must: 


e establish a link between the proposed use or disclosure and the relevant public interest (for example, 
enforcing the criminal law), and 

e establish that the link is strong enough to say that the use or disclosure is reasonably necessary to 
safeguard that public interest. 


Judging whether the link is strong enough will often be a difficult task and it is not possible to lay down rigid 
standards. 


As a general rule "reasonably necessary" implies that a use or disclosure need not be essential or critical to 
serving the public interest concerned (for example, enforcing the criminal law). But it must be more than just 
helpful, or of some assistance, or expedient. Within this range, an agency will inevitably need to exercise its 
own judgment about what is reasonably necessary. 


Factors relevant to "reasonably necessary"' 


What is "reasonably necessary" depends on which of the three public interests specified in these exceptions 
is at issue. But in general, factors relevant to the judgement include: 


e whether there are other practical and less intrusive measures available 

e whether the potential harm to the public interest in question is sufficiently strong to outweigh the privacy 
interests of the people the information is about 

e (for disclosing agencies) who is to receive the personal information and whether and how the 
information is likely to be protected once it is disclosed. 


If an agency frequently discloses personal information to an organisation relying on 11.1(e), it may 
agree with the organisation that if specific criteria are satisfied in requesting the information, it will treat its 
disclosure as being "reasonably necessary". 


For example: the disclosing agency may require that the request: be made by an officer of a particular 
level, refer to a specific offence, refer to a specific case number, and be dated and signed. 


To find out more about managing the use and disclosure of personal information, see Some options for 
minimising risk of breaching the IPPs. 


An agency should make sure that all personal information it discloses is reasonably necessary to 
safeguard the public interest at stake. It should not disclose any extra personal information. 


Disclosures initiated by the disclosing agency 


Agencies most often rely on 11.1(e) for disclosures they make at the request of the receiving organisation. 
In this situation, the disclosing agency can ask the receiving organisation to explain why the disclosure is 
reasonably necessary. 


But if an agency wants to initiate a disclosure of personal information relying on exception 11.1(e), it is 
much harder for it to judge if the disclosure is reasonably necessary. An agency should have procedures to 
make sure that it voluntarily discloses personal information only if suitably senior staff decide that it is 
reasonably necessary. 
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39 Meaning of ''to enforce the criminal law" 
Meaning of "criminal law"' 


"Criminal law" means any Commonwealth, State, or Territory law that makes particular behaviour an 
offence punishable by fine or imprisonment. 


Broadly speaking, "criminal law" encompasses those laws that make an act a crime, so that criminal 
proceedings can be taken. These proceedings are usually prosecuted by the police or Crown prosecutors. 
They are usually heard in criminal courts, and may result in the accused being convicted and punished by 
fine or imprisonment. 


Criminal law of non-Australian jurisdictions 

"Criminal law" may include the law of non- Australian jurisdictions if the Commonwealth agrees to it under 

the Mutual Assistance in Criminal Matters Act. But an agency may more appropriately seek to justify a 

use or disclosure to enforce this kind of law by using exception 10.1(c) or 11.1(d). 

Meaning of ''to enforce" the criminal law 

"To enforce" the criminal law means: 

e the process of investigating crime and prosecuting criminals, and 

e gathering intelligence about crime to support the investigating and prosecuting functions of law 
enforcement agencies. 


Who can disclosures be made to? 


An agency should only disclose personal information that is reasonably necessary to enforce the 
criminal law, to: 


e an organisation that has statutory responsibilities for investigating or prosecuting criminal offences 
e aperson or organisation that must be told the personal information so that they can help in the 
investigation or prosecution. 


Examples of permissible uses and disclosures 


These are examples of uses and disclosures that are reasonably necessary to enforce the criminal law, 
within exceptions 10.1(d) and 11.1(e): 


e Anagency may disclose relevant personal information to a State Department of Corrective Services 
that is trying to decide where to imprison people convicted of criminal offences. 

e Police may disclose personal information - for example, the identity of an offender - if the disclosure 
is necessary for the criminal compensation system to function. 


40 Meaning of ''to enforce a law imposing a pecuniary penalty" 


49 


Exception 10.1(d) allows an agency to use personal information for another purpose, if that is 
reasonably necessary to enforce a law imposing a pecuniary penalty. Exception 11.1(e) allows an agency 
to disclose personal information in the same circumstances. 


Laws imposing pecuniary penalties are often referred to as "civil penalty” or "administrative penalty" 
provisions. They are laws that: 


¢ impose penalties for breaches of Commonwealth laws that are not prosecuted criminally 


For example: many offences under the Customs Act and offences under the Taxation Administration 
Act. 


Or 
e impose penalties as an administrative alternative to prosecution 


For example: the pecuniary penalty provisions under the Customs Act concerning false statements. 
These pecuniary penalties are recoverable as civil debts and so are distinguishable from fines imposed 
under the criminal law. 


The law must be either: 


e aCommonwealth law, or 
e alaw of a State or Territory that the Commonwealth has formally agreed to enforce. 


"Law" includes regulations, directions and other delegated legislation. 
Who can disclosures be made to? 


The use or disclosure must be directly linked to enforcing the law imposing a pecuniary penalty. With a 
disclosure, the body to which the disclosure is made should be essential to investigating and taking action to 
enforce the law. 


41 Meaning of ''to protect the public revenue" 


Exception 10.1(e) says that an agency may use personal information for another purpose if the use is 
reasonably necessary to protect the public revenue. Exception 11.1(e) says that an agency may disclose 
personal information in the same circumstances. 


"Public revenue" clearly means Commonwealth revenue (that is, taxes and similar charges). In some 
contexts, it may also include State and Territory revenue. 


"Protecting the public revenue" includes those activities of the Australian Taxation Office (and any other 
agency with the power to levy taxes or charges) that are directed to ensuring that lawful obligations are 
met by those subject to the taxes or charges. Routine collection of taxes, levies and charges is therefore 
covered, as is audit, investigatory and debt recovery activity directed at ensuring that taxation and similar 
obligations are met. Any prosecution activity related to tax offences would fall under the "criminal law" 
exception discussed in guideline 39. 
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The Commissioner has acknowledged that "protecting the public revenue" also extends to some aspects of 
administering Commonwealth assistance and payment programs. 


Protecting the public revenue does not cover activities aimed at identifying and eliminating inefficient but 


lawful spending of public money. Such a broad interpretation would allow use and disclosure in almost any 
context that involves a public financial transaction, and would make IPPs 10.1 and 11.1 ineffective. 


42 IPPs 10.2 and 11.2 - Noting uses and disclosures 


IPPs 10.2 and 11.2 require an agency that uses or discloses personal information under 10.1(d) or 
11.1(e), to note that use or disclosure on the record containing that information. Please read Information 
Privacy Principles 10.2 and 11.2 - noting uses and disclosures. 


Exception 10.1(e) 
- directly related purpose 


What are the guidelines on exception 10.1(e)? 


Guideline 43 gives the text of exception 10.1(e) 
Guideline 44 explains "directly related" 
Guideline 45 explains that the "purpose" for which personal information is obtained should be 


interpreted narrowly 
43 What does exception 10.1(e) say? 
The text of exception 10.1(e) is: 


... [unless] the purpose for which the information is used is directly related to the purpose for which the 
information was obtained. 


Meaning of exception 10.1(e) 


Exception 10.1(e) allows an agency to use personal information for any purpose that is directly related 
to the purpose for which it originally obtained the information. 


This exception applies only to uses of personal information. 


Note: Sometimes providing personal information to third parties (for example, contractors) is treated as 
a use rather than a disclosure (see When is passing personal information outside the agency a use? 


44 Meaning of "directly related" 


"Directly" means that there needs to be a close relationship between the purpose of the use and the 
purpose for which the personal information is obtained in the first place. 


A directly related purpose is one which is closely associated with the original purpose, even if it is not 
strictly necessary to achieve that purpose. If the related purpose is administrative, it must be one that 
people would reasonably expect to be associated with the original purpose. 
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Here are some examples of uses of personal information that may be seen as directly related to the 
purpose for which that information is obtained: 


e An agency uses information obtained for the purpose of operating a program, for the purpose of 
monitoring, evaluating, auditing or managing that program. 

e Anagency uses information obtained for the purpose of investigating complaints, for the purpose of 
conducting follow-up surveys and reporting to Parliamentary Committees. 


45 The original "purpose" for which information is obtained should be 
interpreted narrowly 


The "purpose" for which information is obtained should be interpreted narrowly. This is discussed in 
guideline 10. Guideline 10 also tells you how to work out the original purpose for obtaining the personal 
information. 


Information Privacy Principles 10.2 and 11.2 
- noting uses and disclosures 


What are the guidelines on IPPs 10.2 and 11.2? 


Guideline 46 gives the text of IPP 10.2 and 11.2 
Guideline 47 tells you that the note should be made on or attached to the record, and explains what 
the note must address 


46 What do IPPs 10.2 and 11.2 say? 
The text of IPP 10.2 is: 


Where personal information is used for enforcement of the criminal law or of a law imposing a 
pecuniary penalty, or for the protection of the public revenue, the record keeper shall include in the 
record containing that information a note of that use. 


The text of IPP 11.2 is: 


Where personal information is disclosed for the purposes of enforcement of the criminal law or of a 
law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the 
record keeper shall include in the record containing that information a note of the disclosure. 


Meaning of IPPs 10.2 and 11.2 


IPP 10.2 says that when an agency uses personal information under exception 10.1(d), it must note 
that use on the record containing that information. 


IPP 10.2 seems to say that an agency must note all of its uses of personal information made to 
safeguard any of the three public interests in exception 10.1(d) _ even if the agency does not need to rely 
on 10.1(d). But the wording of IPP 10.2 clearly shows that it is to be read in the context of exception 
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10.1(d). So the Privacy Commissioner interprets the noting requirement as only applying to uses when an 
agency relies on this exception. 


IPP 11.2 says that when an agency discloses personal information under exception 11.1(e), it must 
note that disclosure on the record containing that information. 


The Commissioner recognises that disclosures of personal information pose a greater threat to privacy 
than using personal information, and that agencies should take greater care in noting disclosures. So, 
for disclosures made to safeguard any of the three public interests in IPP 11.2 , the Commissioner 
interprets the noting requirement in IPP 11.2 as applying: 


e always - if the agency is relying on 11.1(e), and 
e to the extent practical - if the agency if the agency is not relying on 11.1(e). 


47 The note should be made on, or attached to, the record 

Paper records 

Normally, the note should be made on, or attached to, the record containing the personal information. 
Only if this is impractical or undesirable should an agency rely on a separate log of uses and disclosures. 
If a log is used, the record must specifically refer to the log and explain how it can be accessed. 


Computer records 


If personal information is held on computer, the note should be linked, or refer, to the particular 
personal information that has been used or disclosed. 


A computer audit trail (that is, an electronic log showing who accesses a particular record when, and 
sometimes for what purpose) by itself may not satisfy the noting requirement of IPPs 10.2 and 11.2. It may 
not contain sufficient detail about the disclosure or it may be too hard to reconstruct the history of the 
record's use and disclosure. 


What the note must address 

The questions that the note must answer are: 

e has personal information in this record ever been used relying on exception 10.1(d) or disclosed 
relying on exception 11.1(e)? 

e if so, when, by whom, to whom (for disclosures), and for what purpose? 

An agency may wish to protect the notes from scrutiny by staff who routinely access the records _ but 


they must be accessible for audits or investigations by the Privacy Commissioner and for Freedom of 
Information (FOI) requests. 


Information Privacy Principle 11.3 
- use and disclosure of disclosed information 


What are the guidelines on IPP 11.3? 
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Guideline 48 gives the text of IPP 11.3 


Guideline 49 explains that the recipient may only use or disclose personal information for the 
purpose for which the disclosing agency gave it to them 
Guideline 50 discusses what the disclosing agency should do 


48 What does IPP 11.3 say? 

The text of IPP 11.3 is: 
A person, body or agency to whom personal information is disclosed under clause | of this 
principle shall not use or disclose the information for a purpose other than the purpose for which the 
information was given to the person, body or agency. 


Meaning of IPP 11.3 


IPP 11.3 says that if an agency discloses personal information (however obtained) to any recipient, the 
recipient can only use or disclose that information for the purpose for which it was disclosed to them. 


For example: an agency that has received personal information from a compensation authority for the 
purpose of managing superannuation obligations is obliged by IPP 11.3 not to use or disclose that 
information for any other purpose. 


49 The recipient must only use or disclose the information for the purpose for 
which it is disclosed to them 


A "directly related" purpose is insufficient 
The recipient must use or disclose personal information for the same purpose for which it is disclosed 


to them, not a directly related one. For a discussion of the purpose for which personal information is 
obtained, please read Working out the particular purpose for which information is obtained. 
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If an agency discloses personal information to another agency 


IPP 11.3 says that an agency that receives personal information from a disclosing agency must only 
use or disclose that information for the purpose for which it is disclosed _ even if one or more of the 
exceptions in IPP 10.1 or 11.1 would otherwise apply to the proposed use or disclosure. 


For example: Agency B receives personal information from agency A. If organisation C asks agency 
B to disclose the information for another purpose, agency B cannot disclose the information itself - even if 
it could apply one of the exceptions under IPP 11.1 to the disclosure. It may, however, refer organisation 
C to agency A, the original source of the information. Agency A can disclose to C if it can bring itself 
within one of the exceptions to IPP 11.1. 


50 What the disclosing agency should do 


The disclosing agency should take all reasonable steps to prevent the personal information being re- 
used or re-disclosed for purposes other than that for which the agency discloses it. 


These steps may be set out in contract clauses or in a memorandum of understanding between the 
disclosing agency and the recipient. 


An agency should use whatever contractual or administrative authority it has, to control inappropriate re- 
use or re-disclosure. 


Possible arrangements include: 


e requiring the receiving organisation to return or destroy the documents once the purpose for which the 
disclosure is made is completed 

e requiring the receiving organisation to securely retain the personal information 

e requiring the receiving organisation to impose appropriate restrictions on access and any further 
disclosures 

e informing the receiving organisation that these controls are required by Commonwealth law 

e informing the receiving organisation that their use or disclosure of the personal information is 
governed by IPP 11.3. 


